Sophos has released twelve months of production data from its Managed Detection and Response (MDR) service, now defending 40,000 customers worldwide following 39 per cent year-on-year growth. The figures define what an agentic security operations centre looks like at scale.

The headline metric: 89 seconds from case creation to fully automated response for cases where AI is authorised to act. Fifty-two per cent of MDR cases are now closed end-to-end by AI, without human intervention, inside boundaries continuously calibrated by analysts. Every Sophos MDR customer — regardless of size — operates on the same agentic model, with threat intelligence compounding across all 40,000 accounts.

Redesigning the SOC

Sophos has re-architected its security operations around what it describes as a human-on-the-loop (HOTL) and human-in-the-loop (HITL) model. AI absorbs the high-volume, well-bounded work where speed matters; human analysts focus on threat hunting, novel attack patterns, and high-stakes decisions requiring contextual judgment. The result, Sophos argues, is not the replacement of analysts but an elevation of their work.

“The 52% gets the attention, but the 48% is just as important. When AI takes the volume off the human queue, our analysts get the bandwidth to do the work that requires their judgment: the novel attack patterns, the high-stakes decisions, the cases where context and business implications matter.” — Rob Harrison, SVP Product Management, Sophos

Independent Validation

Sophos was named the top overall solution across five G2 categories in the Summer 2026 reports — Endpoint Protection, EDR, XDR, MDR, and Firewall — the eighth consecutive quarter Sophos MDR has held the overall leader position. The company also received a 2026 Gartner Peer Insights Customers’ Choice designation for MDR with a 4.8 out of 5.0 rating based on 290 reviews, making it the most-reviewed vendor in that report.

Sophos is extending the agentic model across its portfolio through 2026, including integration of XDR and Next-Gen SIEM into a unified context lake, and the planned launch of Sophos CISO Advantage in autumn 2026.